The original malicious document (SHA256: 432bae48edf446539cae5e20623c39507ad65e21cb757fb514aba635d3ae67d6) contains an external web link.
The relationship directory (word/_rels/document.xml.rels) is an XML file that maps relationships within the .docx file, and also with resources outside of the package, such as links or images.
Once the document is clicked, it starts connecting to the external Discord CDN attachment space ‘hxxps://cdn[.]discordapp.com/attachments/986484515985825795/986821210044264468/index[.]htm’ to download an HTML file.
After it downloads the HTML file (SHA256: 3558840ffbc81839a5923ed2b675c1970cdd7c9e0036a91a0a728af14f80eff3), the document then invokes msdt.exe with a PowerShell command.
It has a little obfuscation with a concatenation of separate strings that assemble at run time to hide the actual command and evade simple string detection.
They decoded a Base64 string and the complete command.
The PowerShell code will download one batch file cd.bat (SHA256: 5d8537bd7e711f430dc0c28a7777c9176269c8d3ff345b9560c8b9d4daaca002) and start it with no window to hide itself.
Then it invokes another web request to download Rozena and saves as “Word.exe” (SHA256: 69377adfdfa50928fade860e37b84c10623ef1b11164ccc6c4b013a468601d88) in the Windows Tasks folder.
These two files are also downloaded from the Discord CDN attachment space with the same channelID as the external link in the original document.